Re: Undernet/telnet attempts?

[Stephen.Cooper () BIS ORG (Stephen Cooper)]

Hello,

I recently left a large middle eastern country (I do not wish to be inflamatory, so I will not name it in a public 
forum), having experienced certain phenomena there, your email makes me smile!!!!

In that country the Internet backbone is concealed behind a massive firewall and a bank of Squid proxy servers, which 
blocks ports 80 and 443. Not many people outside will see much of what I will describe.

However, should you dial-in to a local ISP (of which there are a lot) and be running a tool such as Back Officer 
Friendly or BlackICE or equivalent, you will be absolutely bombarded by telnet attempts, backorifice probes, ping scans 
, port scans and on and on. You do not need to be running. All coming from Dial-up users connected to that backbone via 
various ISPs. Its kind of disturbing when you first see it, but you get used to it and there is very little you can do 
about it.

It kind of puts a minor thing like you describe into perspective.

This email expresses personal opinions that absolutely no relation to my current occupation.

Regards, Stephen.

> > > "Tibor, Mike" <tibor () LIB UAA ALASKA EDU> 02/23/00 02:06am >>>
On Fri, 18 Feb 2000, SecOrg wrote:

> I have gotten a number of telnet attempts/scans on my server from undernet
> IRC hosts. A couple of the hosts were
> dallas-r.tx.us.undernet.org
> ProxyScan.MD.US.Undernet.Org
>
> As the name implies, I am guessing they are scanning wingates/proxies,
> etc for security/eggdrop reasons. Does anyone know if they scan all
> incoming connections for telnet(wingate) ports?  And if so, why they would
> try to connect to it afterwards? Maybe some kind of fingerprinting
> technique that would find out if it is a open wingate?

I've experienced those probes myself, and in email exchanges with the
technical contacts (angel111 () ns2 cetlink net, danny () chatsystems com,
abuse () undernet org, noc () u1 abs net), they vehemently claim to only probe
each machine when it makes an IRC connection to them (ie, the incoming IRC
connection triggers the probe)

The problem *I* have with it is that when I confronted them they couldn't
produce any evidence my server ever made those connections--they
apparently don't keep any logs.  In my case it's rather interesting as
only 4 people other than myself have shell access to my server, and none
of us has *ever* done any IRC activity from it (and I'm also confident it
hasn't been rooted).

Mike

--
Mike Tibor         Univ. of Alaska Anchorage    (907) 786-1001 voice
LAN Technician     Consortium Library             (907) 786-6050 fax
tibor () lib uaa alaska edu       http://www.lib.uaa.alaska.edu/~tibor/ 
http://www.lib.uaa.alaska.edu/~tibor/pgpkey  for PGP public key

DISCLAIMER: Any e-mail messages from the Bank for International Settlements are sent in good faith, but shall not be 
binding nor construed as constituting any obligation on the part of the Bank.

CONFIDENTIALITY NOTICE: This e-mail contains confidential information, which is intended only for the use of the 
recipient(s) named above. If you have received this communication in error, please notify the sender immediately via 
e-mail and return the entire message. Thank you for your assistance.